Bumps @svgr/webpack dependency to version 6.2.1

[daschaa]

Regarding the issue #12146 the @svgr/webpack dependency has to be updated to fix the security warning related to the transitive nth-check dependency.

[daschaa]

@iansu / @mrmckeb
Any feedback on this? Would be cool to have this merged so repositories which are using CRA (react-scripts in particular) would not be bothered by dependabot complaining about the CVE (GHSA) in nth-check.

[bbodensieck]

All checks are fine. Could you please merge this?

[jy95]

Up

[ranman]

This should be merged.

[bakgaard]

Please do hit the merge-button 🙂

[BrandonKoala]

@iansu @mrmckeb Bumping this for visibility

[Lsnsh]

These issues may all need this PR：

• Bump svgr/webpack to 6.x #12146
• Vulnerability in react-scripts > @svgr/webpack > @svgr/plugin-svgo > svgo > css-select > nth-check & css-what #12132
• Bug: [5.0] SVGs cannot be imported (not as components, but regular import) #11770
• SVGR generates invalid react component #11753

Similar PR, no progress:

• webpack version upgrade #12026
• Upgrade to svgr 6 #11780

---

SVGR issue, about SVG with CDATA:

• SVGR exception with CDATA inside <style/> tag gregberge/svgr#558
  • An error like this occurs: Error: Expected node, got ***

[daschaa]

Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.

[seavor]

"Please sir, may I have some merges?"

[jy95]

[Master-Guy]

Would it help to @ the two reviewers?

[rap2hpoutre]

@Master-Guy You are right, we can try @mrmckeb @iansu 👋

[szakharchenko]

Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.

Only 6 months? Those are rookie numbers.

[daschaa]

@gaearon Can we close this pull request? Or is it maybe a good idea to bump the dependency to a newer version even if the vulnerability is not affecting react-scripts?
I don't know the details of the newest version here, but maybe there are internal improvements as well.

[sebastienpa]

@iansu @mrmckeb please merge 🙏

[mpavlikWandera]

@iansu @mrmckeb please merge 🙏

[wozzo]

Tbh I am also quite surprised that there is not even a response by the maintainers to this pull request.

Only 6 months? Those are rookie numbers.

What do I win? 🤣

[vijaya-lakshmi-venkatraman]

Hi,
Is there a timeline to expect this merge so we can plan accordingly?

[Phonesis]

Quite vital this is merged soon as it a security issue

[mpavlikWandera]

This may not be a security issue in itself, but it is blocking us from fixing other security issues because this is a blocking dependency :( .

[alexishecf]

Not impacting production but pretty straightforward, should be merged

[andresmanikis]

You can always override the dependency like this in your project's package.json.

"overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

Having said that, I think this should be reviewed by the maintainers. Don't know why it hasn't been yet.

[andresmanikis]

Hi @daschaa, I'm glad you took the time to raise this PR.
I'm not sure which should be the test plan to make sure everything is working properly after the change.
I guess at least checking that SVGs are loaded correctly and also all the tests are passing (which I guess must be part of the CI checks, right?).

Would be great if it can be reviewed by one of the owners and see if there's something else needed.

[danvitoriano]

Hi people, any updates on merge this PR? My Sec team is hopefully waiting for us to fix the Snyk vulnerability on this svg lib version <3

[daschaa]

@andresmanikis
Thanks for your feedback. I will add all the necessary stuff as soon as a maintainer who is willing to review this PR gives feedback.
I don't know why no one from Meta looks at this. At least any kind of feedback would be nice.

[andresmanikis]

Yes. Don't know either.

[mpavlikWandera]

@iansu @mrmckeb could you pls have a look? or at least give us a reason why this is stuck for so long?

[tgross35]

There are a few sources suggesting this tool is deprecated (e.g. #13072), which seems to line up with the lack of maintenance. It seems like that might be the reason this hasn't been addressed in way too long.

Edit: better source reactjs/react.dev#5487

[ethhandy]

You can always override the dependency like this in your project's package.json.

"overrides": {
    "react-scripts": {
      "@svgr/webpack": "6.5.1"
    }
  }

Having said that, I think this should be reviewed by the maintainers. Don't know why it hasn't been yet.

@andresmanikis, this doesn't work for old versions of npm.
My npm version is 6.14.15 and node version is 14.18.3. So, can't use override.